Up to 40,000 MongoDB databases left unsecured online

MongoDB are back in the spotlight for all the wrong reasons. Up to 40,000 MongoDB databases have been found open and unsecured by a team of students, showing us how potential cybercriminals could access sensitive and important data.

A major security issue has been unveiled at MongoDB with 40,000 databases discovered unsecured on the internet. The discovery was made by university students in Germany who were able to gain easy access by running a port scan on the internet to find openly accessible databases.

Security best practice

The three students from Saarland University who uncovered the security issue were able to document how potential hackers could access the open databases or website backends, one of which belongs to a French telecommunications company that included around 8 million customer phone numbers and addresses.

MongoDB runs by default on TCP port 27017, which means any ordinary port scan could potentially identify openly accessible databases. The students, Jens Heyens, Kai Greshake and Eric Petryka claimed this was possible within a four hour time period.

Eliot Horowitz, MongoDB CTO, posted on the company’s blog on Tuesday about MongoDB’s security best practices and how customers could avoid potential security issues that have been highlighted by the recent exposed databases alert:

MongoDB takes security very seriously. Recently a team of German researchers discovered unsecured instances of MongoDB running openly on the internet. Readers who are concerned about access to their systems are reminded of the following resources:

The most popular installer for MongoDB (RPM) limits network access to localhost by default.

Security is addressed in detail in our Security Manual. The Security Checklist discusses limiting network exposure. Note that the method to do this will vary significantly depending on where the service is hosted (AWS, Azure, locally, etc).

Additionally, users of MongoDB Management Service (MMS) can enable alerts to detect if their deployment is internet exposed (see figure below).

A discussion on security is provided in two parts. Part 1 covers Design and Configuration. Part II covers 10 mistakes that can compromise your database.

With the above advice, it seems that although MongoDB address security as part of their service, organisations that use MongoDB web servers following these guidelines are likely to have overseen the need to activate security mechanisms for their database.

After discovering the security problem, the three students alerted the French Data Protection Authority (CNIL), the Federal Office for Information Security and MongoDB so that the affected database owners could be notified and the required action taken.

The controversy comes after MongoDB recently announced that its 3.0 release will be made available from March.